Description of problem: When testing the RHEL 7 compose of Satellite 6 I need to set restrict_registered_puppetmasters=false in foreman settings under auth in order for puppet runs to succeed. This is not happening on RHEL 6 composes. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. yum -y install katello on a RHEL 7 system 2. katello-installer; export FORWARDERS=$(for i in $(cat /etc/resolv.conf |grep nameserver|awk '{print $2}'); do echo --capsule-dns-forwarders $i;done) && export OAUTH_SECRET=$(grep oauth_consumer_secret /etc/foreman/settings.yaml | cut -d ' ' -f 2) && katello-installer --capsule-parent-fqdn $(hostname) --capsule-dns true $FORWARDERS --capsule-dns-interface eth0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface eth0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret $OAUTH_SECRET Actual results: after the install running puppet agent --test fails repeatedly Expected results: puppet agent --test runs normally Additional info:
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
in app/controllers/concerns/foreman/controller/smart_proxy_auth.rb dn is evaluating with this format on RHEL 6: /C=US/ST=North Carolina/O=FOREMAN/OU=PUPPET/CN=satellite1.montleon.intra but on RHEL 7 it is coming up as: CN=satellite2.montleon.intra,OU=PUPPET,O=FOREMAN,ST=North Carolina,C=US so on: https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb#L44 this is causing $1 one from the match above to be: "satellite2.montleon.intra,OU=PUPPET,O=FOREMAN,ST=North" by changing request_hosts = [$1] to request_hosts = [$1.gsub(/,(\S+)/i, '')] it seems to work around the issue
I'm trying to get Foreman installed at a client site and have been running into the above bug, but for different reasons. If you generate the PKI certs on windows, it will use "/" as the separation character. if https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb#L41 is changed to the string below, the parse works for SSL certs which use "/" and "," as the separator. dn =~ /CN=([^\s\/,]+)/i
I'm trying to get Foreman installed at a client site and have been running into the above bug, but for different reasons. If you generate the PKI certs on windows, it will use "/" as the separation character. In addition the default regex will not pull only the CN entry, but anything after the CN as well. This was causing strange errors like the following: /var/log/foreman/production.log:No smart proxy server found on ["foreman.linux.lab.local/emailAddress=user"] and is not in trusted_puppetmaster_hosts The DN for the cert in question which was signed by a Windows CA is: "/C=US/ST=NC/L=City/O=Example/OU=IT/CN=foreman.linux.lab.local/emailAddress=user" if https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb#L41 is changed to the string below, the parse works for SSL certs which use "/" and "," as the separator. dn =~ /CN=([^\s\/,]+)/i
Upstream bug assigned to orabin
Moving to POST since upstream bug http://projects.theforeman.org/issues/6205 has been closed ------------- Andrew N I'm trying to get Foreman installed at a client site and have been running into the above bug, but for different reasons. If you generate the PKI certs on windows, it will use "/" as the separation character. In addition the default regex will not pull only the CN entry, but anything after the CN as well. This was causing strange errors like the following: <pre> /var/log/foreman/production.log:No smart proxy server found on ["foreman.linux.lab.local/emailAddress=user"] and is not in trusted_puppetmaster_hosts </pre> The DN for the cert in question which was signed by a Windows CA is: <pre> "/C=US/ST=NC/L=City/O=Example/OU=IT/CN=foreman.linux.lab.local/emailAddress=user" </pre> if https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb#L41 is changed to the string below, the parse works for SSL certs which use "/" and "," as the separator. <pre><code class="ruby"> dn =~ /CN=([^\s\/,]+)/i </code></pre> ------------- Andrew N Applied in changeset commit:2821b5e250d2f311e2070c41879720f8745507cf.
*** Bug 1131223 has been marked as a duplicate of this bug. ***
Verified in Satellite-6.0.4-RHEL-7-20140829.0
This was delivered with Satellite 6.0 which was released on 10 September 2014.